{"id":8579,"date":"2025-11-20T05:03:29","date_gmt":"2025-11-20T05:03:29","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/20\/legal-restrictions-on-vulnerability-disclosure-html\/"},"modified":"2025-11-20T05:03:29","modified_gmt":"2025-11-20T05:03:29","slug":"legal-restrictions-on-vulnerability-disclosure-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/20\/legal-restrictions-on-vulnerability-disclosure-html\/","title":{"rendered":"Legal Restrictions on Vulnerability Disclosure"},"content":{"rendered":"\n<div>Legal Restrictions on Vulnerability Disclosure<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Kendra Albert gave an <a href=\"https:\/\/www.youtube.com\/watch?v=lUe3uUvIyT0\">excellent talk<\/a> at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities\u2014exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk.<\/p>\n<blockquote>\n<p>Thirty years ago, a debate raged over whether vulnerability disclosure was good for computer security. On one side, full disclosure advocates argued that software bugs weren\u2019t getting fixed and wouldn\u2019t get fixed if companies that made insecure software wasn\u2019t called out publicly. On the other side, companies argued that full disclosure led to exploitation of unpatched vulnerabilities, especially if they were hard to fix. After blog posts, public debates, and countless mailing list flame wars, there emerged a compromise solution: coordinated vulnerability disclosure, where vulnerabilities were disclosed after a period of confidentiality where vendors can attempt to fix things. Although full disclosure fell out of fashion, disclosure won and security through obscurity lost. We\u2019ve lived happily ever after since.<\/p>\n<p>Or have we? The move towards paid bug bounties and the rise of platforms that manage bug bounty programs for security teams has changed the reality of disclosure significantly. In certain cases, these programs require agreement to contractual restrictions. Under the status quo, that means that software companies sometimes funnel vulnerabilities into bug bounty management platforms and then condition submission on confidentiality agreements that can prohibit researchers from ever sharing their findings.<\/p>\n<p>In this talk, I\u2019ll explain how confidentiality requirements for managed bug bounty programs restrict the ability of those who attempt to report vulnerabilities to share their findings publicly, compromising the bargain at the center of the CVD process. I\u2019ll discuss what contract law can tell us about how and when these restrictions are enforceable, and more importantly, when they aren\u2019t, providing advice to hackers around how to understand their legal rights when submitting. Finally, I\u2019ll call upon platforms and companies to adapt their practices to be more in line with the original bargain of coordinated vulnerability disclosure, including by banning agreements that require non-disclosure.<\/p>\n<\/blockquote>\n<p>And <a href=\"https:\/\/www.schneier.com\/essays\/archives\/2007\/01\/schneier_full_disclo.html\">this<\/a> is me from 2007, talking about \u201cresponsible disclosure\u201d:<\/p>\n<blockquote>\n<p>This was a good idea\u2014and these days it\u2019s normal procedure\u2014but one that was possible only because full disclosure was the norm. And it remains a good idea only as long as full disclosure is the threat.<\/p>\n<\/blockquote>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/11\/legal-restrictions-on-vulnerability-disclosure.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Legal Restrictions on Vulnerability Disclosure Kendra Albert gave an excellent talk at USENIX Security this year, pointing out that the legal agreements surrounding vulnerability disclosure muzzle researchers while allowing companies to not fix the vulnerabilities\u2014exactly the opposite of what the responsible disclosure movement of the early 2000s was supposed to prevent. This is the talk. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,457,1363,1,692,416],"tags":[87],"class_list":["post-8579","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-courts","category-disclosure","category-uncategorized","category-video","category-vulnerabilities","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8579"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8579"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8579\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}